b"\x0cFY 2011 OFFICE OF INSPECTOR GENERAL\n FISMA AUDIT OF GSA\xe2\x80\x99S INFORMATION\n  TECHNOLOGY SECURITY PROGRAM\n  REPORT NUMBER A110160/O/F/F11008\n\n          September 28, 2011\n\x0cDate:         September 28, 2011\n\nTo:           Casey Coleman\n              Chief Information Officer (I)\n\nReply to      Carolyn Presley-Doss\nAttn of:      Deputy Assistant Inspector General for Finance and Information Technology\n              Audits (JA-F)\n\nSubject:      FY 2011 Office of Inspector General FISMA Audit of GSA\xe2\x80\x99s Information\n              Technology Security Program, Report Number A110160/O/F/F11008\n\nThe General Services Administration\xe2\x80\x99s (GSA\xe2\x80\x99s) Information Technology (IT) Security Program\nprovides guidance and conducts oversight of efforts to protect GSA systems. The Federal\nInformation Security Management Act of 2002 (FISMA) directs Inspectors General (IGs) to\nperform an annual independent evaluation of their respective Agency\xe2\x80\x99s information technology\nsecurity program and controls for select systems. This audit report presents the results of the\nOffice of Inspector General\xe2\x80\x99s fiscal year (FY) 2011 audit of GSA\xe2\x80\x99s IT Security Program and\nreflects results from three system security audits conducted during the year and other tests.\nAppendix A provides the objective, scope, and methodology for the audit.\n\nAccording to FISMA, the Office of Management and Budget (OMB) is responsible for\nsummarizing the results of agency evaluations in a report to Congress. For FY 2011 reporting,\nIGs are required to assess Agency information security performance in key areas, including risk\nmanagement, configuration management, security training, incident response and reporting, and\nidentity and access management.\n\n                                   RESULTS OF AUDIT\n\nGSA\xe2\x80\x99s Chief Information Officer (GSA-CIO) continues to take steps to improve the Agency-\nwide IT Security Program. For example, the GSA-CIO has updated GSA\xe2\x80\x99s IT Security Policy,\npublished procedural guidance on a variety of information security topics, and expanded the IT\nSecurity Program to include additional technical testing requirements. However, we found that\nadditional steps are needed to strengthen GSA\xe2\x80\x99s IT Security Program in five key areas: (1)\nconfiguration management, (2) social media technologies, (3) security documentation labeling,\n(4) contractor background investigations, and (5) warning banners.\n\x0cFurther Expansion of Technical Testing Processes Could Improve Configuration\nManagement\n\nContinued improvements are needed to better secure GSA systems and data. In particular, in the\ntwo systems that we were able to test, 1 we identified weaknesses relating to security\nmisconfigurations and unpatched database or operating system software. As a result, these\nsystems and their sensitive data were placed at an increased risk of inappropriate access,\nmodification, or destruction.\n\nWeaknesses occurred because system security officials did not ensure that GSA\xe2\x80\x99s IT Security\nPolicy requirements for baseline configuration were initially applied and maintained with enough\nrigor. Additionally, GSA does not require authenticated operating system testing. Our\nauthenticated operating system testing identified multiple weaknesses. Finally, language in\nGSA\xe2\x80\x99s IT Security Policy conflicts with other GSA guidance, which outlines management\xe2\x80\x99s IT\nsecurity responsibilities regarding technical testing frequency requirements. For one of the\nsystems, GSA officials did not conduct quarterly database scanning due to the conflicting\nrequirements. GSA\xe2\x80\x99s IT Security Policy requires all information systems to be securely\nhardened and patched while in operation. National Institute of Standards and Technology\n(NIST) Special Publication (SP) 800-53 2 requires organizations to configure the security settings\nof IT systems to the most restrictive mode consistent with operational requirements.\n\nAdditional Oversight of GSA\xe2\x80\x99s Use of Public Social Media Technologies Would Reduce Risks\n\nGSA is implementing social media technologies to communicate with the public to meet goals\nfor a government that is more citizen-centered, transparent, participatory, and collaborative. We\nreviewed two public GSA social media websites and identified areas needing additional\noversight and monitoring to better manage IT security risks.\n\nThe first website reviewed was a wiki 3 that was the target for spam postings. 4 These spam\npostings were available for several months prior to our identification. This website was based on\nthe same platform as a previously identified GSA social site targeted with spam. Additionally,\nthe site allowed new posts to be published without prior review by GSA. Automated programs\nand malicious users could post inappropriate information in the same manner. According to\nNIST SP 800-44, 5 these postings \xe2\x80\x9ccan affect the organization\xe2\x80\x99s image where visitors view the\n\n1\n  We conducted technical testing for two of the three systems reviewed. We were able to fully conduct technical\ntesting for one system. For the second system, we were able to conduct limited technical testing, but were restricted\nby the contractor providing the system from performing authenticated operating system testing. For the third\nsystem, we were unable to perform any technical testing due to restrictions placed upon us by the contractor\nproviding the system.\n2\n  NIST SP 800-53, Recommended Security Controls for Federal Information Systems, Rev. 3, August 2009\n3\n  A wiki is a piece of server software that allows users to freely create and edit web page content using any web\nbrowser. A wiki supports hyperlinks and has a simple text syntax for creating new pages and crosslinks between\ninternal pages on the fly.\n4\n  Spam postings are unsolicited bulk messages that often contain malware. Malware refers to a program that is\ninserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability\nof the victim\xe2\x80\x99s data, applications, or operating system.\n5\n  NIST SP 800-44, Guidelines on Securing Public Web Servers, Version 2, September 2007\n\n                                                           2\n\x0csubmitted content as an endorsement. They may also affect the Web site\xe2\x80\x99s availability by\nmaking it difficult for users to find necessary content.\xe2\x80\x9d GSA\xe2\x80\x99s social media guidance requires\nwebsite administrators to \xe2\x80\x9creview all comments before posting them.\xe2\x80\x9d Lack of consistent and\nscheduled reviews of GSA\xe2\x80\x99s public sites may lead to late discoveries of such issues, which may\ncause reputation and data loss. Further, while this site was included as part of the quarterly\nreviews of social media websites conducted by the GSA-OCIO, these reviews were not rigorous\nenough to discover the spam postings.\n\nThe second website review identified a configuration weakness that placed the confidentiality of\nusers\xe2\x80\x99 private communications at risk. This occurred because system officials did not follow\nGSA\xe2\x80\x99s guidance for web application security. Additionally, this site was not included in the\nGSA-OCIO\xe2\x80\x99s quarterly reviews of social media websites.\n\nA common cause of the identified problems was that both GSA\xe2\x80\x99s social media guidance and\nGSA\xe2\x80\x99s IT security guidance do not address security risks to social media platforms. For\nexample, NIST SP 800-44 identifies methods for controlling the impact of spambots 6 in web\napplications. Additionally, GSA\xe2\x80\x99s IT security guidance and social media guidance do not\nreference each other.\n\nAdditional Guidance for Labeling Security Documentation Would Reduce the Risk of\nInappropriate Disclosure\n\nDuring the course of our audits, we identified sensitive documents on a public GSA website,\nincluding IT security documentation that placed GSA systems and data at increased risk. The\ndocuments lacked restrictive labeling, such as \xe2\x80\x9cControlled Unclassified Information.\xe2\x80\x9d Excluding\nguidance for procuring contractor systems, GSA's IT Security Policy and other guidance do not\ninclude specific requirements for labeling security documentation for all GSA systems.\nAccording to NIST SP 800-53, the organization must protect system security documentation, as\nrequired. GSA determined that these documents should not have been disclosed.\n\nSpecific Guidance for Conducting Government Background Investigations for Contractors\nUsing Commercial Systems Would Reduce Risk\n\nContractor personnel supporting two of the contractor systems we reviewed had not undergone\ngovernment background investigations despite contract and GSA policy requirements. Instead,\nthe contractors conducted background investigations using their internal criteria that did not\ninclude all aspects of a government background investigation. Government background\ninvestigations are necessary to ensure that contractor personnel are suitable to access GSA\nsystems and data.\n\nGovernment background investigations were not completed because GSA system officials did\nnot identify individuals requiring background investigations. Additionally, GSA lacks specific\n\n6\n  Spambots are an example of web bots which are software applications used to collect, analyze, and index web\ncontent. More specifically, spambots crawl web sites for login forms to create free e-mail addresses from which to\nsend spam or to spam blogs, guestbooks, wiki, and forums to boost the search engine rankings of a particular web\nsite.\n\n                                                         3\n\x0cguidance to assist GSA system officials in identifying personnel requiring government\nbackground investigations.\n\nEnhanced Monitoring of Warning Banners Would Aid in Consistent Implementation of Policy\n\nAll three reviewed systems deviated from GSA\xe2\x80\x99s IT Security Policy regarding warning banners.\nTwo systems displayed warning banners on their main login page that were inconsistent with\nGSA requirements. The third system did not include any warning banner on its main login page.\nWarning banners are important since they caution individuals with malicious intent of the\npotential legal ramifications of their act. According to GSA\xe2\x80\x99s IT Security Policy, all systems\nmust display an approved warning banner to all users attempting to access the systems. The\nGSA-CIO has not provided adequate oversight to ensure appropriate warning banners are in\nplace.\n\n                                  RECOMMENDATIONS\n\nTo improve GSA\xe2\x80\x99s IT Security Program and to ensure the security of GSA systems, data, and\noperations, we recommend that the GSA-CIO take actions to:\n\n   1. Strengthen configuration management practices by:\n          a. Ensuring that authenticated operating system testing is conducted for all GSA\n              systems.\n          b. Updating the GSA IT Security Policy and related guidance to clarify technical\n              testing frequency requirements.\n   2. Improve security of GSA\xe2\x80\x99s social media technologies by:\n          a. Updating GSA\xe2\x80\x99s guidance, including policies, for social media and IT security to\n              address risks specific to social media.\n          b. Strengthening the existing reviews of GSA\xe2\x80\x99s social media sites to ensure that the\n              inventory is complete and the risks identified in this report are addressed.\n          c. Establishing IT security standards for social media platforms widely used at GSA.\n   3. Clarify labeling requirements for GSA\xe2\x80\x99s sensitive security documentation.\n   4. Improve personnel security of commercial systems used to provide government services\n      by:\n          a. Developing guidance to assist GSA system officials in identifying contractor\n              personnel in positions that require government background investigations.\n          b. Monitoring whether GSA system officials are adhering to this guidance.\n   5. Ensure that appropriate warning banners are displayed.\n\n                              MANAGEMENT COMMENTS\n\nThe GSA-CIO concurred with the findings and recommendations outlined in this report. A copy\nof the GSA-CIO\xe2\x80\x99s comments is included in its entirety in Appendix B.\n\n\n\n\n                                              4\n\x0c                                 INTERNAL CONTROLS\n\nThis audit included a review of elements of GSA\xe2\x80\x99s IT Security Program including select\nmanagement, operational, and technical controls for three GSA systems. We did not test all\ncontrols across GSA. The Results of Audit and Recommendations sections of this report state, in\ndetail, the need to strengthen specific processes and controls established within the GSA IT\nSecurity Program.\n\n\n\n\nWe would like to express our thanks to the GSA-OCIO for their assistance and cooperation\nduring this audit. Please contact me if you have any questions regarding this report.\n\n\n\n\nWilliam Salamon\nAudit Manager\nFinance and Information Technology Audit Office (JA-F)\n\n\n\n\n                                              5\n\x0c                        FY 2011 OFFICE OF INSPECTOR GENERAL\n                         FISMA AUDIT OF GSA\xe2\x80\x99S INFORMATION\n                          TECHNOLOGY SECURITY PROGRAM\n                          REPORT NUMBER A110160/O/F/F11008\n\n             APPENDIX A \xe2\x80\x93 OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of this audit was to determine if the General Services Administration (GSA) has\ndeveloped, documented, and implemented an Agency-wide information security program. To\naddress this objective we:\n\n   \xe2\x80\xa2   Reviewed policies, procedures, technical guides, and standards established within GSA\xe2\x80\x99s\n       IT Security Program.\n   \xe2\x80\xa2   Assessed the implementation of GSA\xe2\x80\x99s IT Security Program for three select GSA\n       systems. For these systems, we conducted security audits to determine whether\n       management, operational, and technical controls had been implemented to effectively\n       manage risks.\n   \xe2\x80\xa2   Met with GSA IT security officials in the Office of the GSA Chief Information Officer,\n       Federal Acquisition Service, and Public Buildings Service.\n   \xe2\x80\xa2   Evaluated the implementation of information security program elements from National\n       Institute of Standards and Technology (NIST) Special Publication (SP) 800-100,\n       Information Security Handbook: A Guide for Managers, October 2006.\n   \xe2\x80\xa2   Applied the NIST Federal Information Processing Standards Publications and SP 800\n       series security guidelines.\n   \xe2\x80\xa2   Utilized applicable information security regulations, policies, and guidance.\n   \xe2\x80\xa2   Examined system certification and accreditation packages, including system risk\n       assessments, security plans, security assessment results, contingency plans, and plans of\n       action and milestones.\n   \xe2\x80\xa2   Conducted operating system, database, and web application security testing for the select\n       systems we reviewed.\n   \xe2\x80\xa2   Reviewed security controls for two of GSA\xe2\x80\x99s public social media websites.\n   \xe2\x80\xa2   Reviewed publicly released documents and GSA policies and procedures related to\n       labeling of sensitive security documents.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards between January and August of 2011. Those standards require that we plan\nand perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for\nour findings and conclusions based on our audit objectives. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n\n\n\n                                               A-1\n\x0c FY 2011 OFFICE OF INSPECTOR GENERAL\n  FISMA AUDIT OF GSA\xe2\x80\x99S INFORMATION\n   TECHNOLOGY SECURITY PROGRAM\n   REPORT NUMBER A110160/O/F/F11008\n\nAPPENDIX B \xe2\x80\x93 MANAGEMENT COMMENTS\n\n\n\n\n                 B-1\n\x0c                                 FY 2011 OFFICE OF INSPECTOR GENERAL\n                                  FISMA AUDIT OF GSA\xe2\x80\x99S INFORMATION\n                                   TECHNOLOGY SECURITY PROGRAM\n                                   REPORT NUMBER A110160/O/F/F11008\n\n                              APPENDIX C \xe2\x80\x93 REPORT DISTRIBUTION\n\n                                                                                                                         Copies*\nGSA Chief Information Officer (I) ............................................................................................ 1\nSenior Agency Information Security Officer (IS) ..................................................................... 1\nDirector, GAO and IG Audit Response Branch (BCBB) .......................................................... 1\nAssistant Inspector General for Auditing (JA) .......................................................................... 1\nDirector, Audit Planning, Policy, and Operations Staff (JAO).................................................. 1\nDeputy Assistant Inspector General for Investigations (JID) .................................................... 1\n\n*Provided Electronically\n\n\n\n\n                                                               C-1\n\x0c"